The Thai security apparatus has been under the spotlight following a series of allegations.

In a parliamentary committee hearing on 1 May, representatives from the three armed forces, the Internal Security Operations Command (ISOC), the Ministry of Defence, and the Royal Thai Police were called to explain their involvement in Information Operations (IOs) that have targeted Thailand’s own citizens.

The security sector leaders, primarily represented by Maj Gen Winthai Suvaree, the Army spokesperson, unanimously confirmed before the House Committee on National Security, Border Affairs, National Strategy and Reform that their agencies do not conduct such operations.

Instead, they claimed that their work involves only public relations and correcting misunderstandings. The target, Winthai stressed, is not an enemy but the general public, and the focus is not on any individual speaker.

Opposition MPs and public figures—many of whom have been targets of IOs, including some committee members—attended the hearing in an effort to uncover the operations and hold officials accountable.

The hearing followed revelations made during a censure debate in March, as well as an insightful report by researchers from the digital rights think tank Citizen Lab, based at the Munk School of Global Affairs and Public Policy, the University of Toronto.

During the censure debate, People’s Party MP Chayaphon Satondee disclosed documents said to have originated within the security apparatus and leaked to him by security officials loyal to democratic principles.

The documents revealed that a Combined Operations Centre had set up a Cyber Team led by Gen. Thammanoon Withee, former Assistant Army Commander-in-Chief, which had carried out over 84,000 attacks targeting dozens of individuals deemed threats to the monarchy, including the Prime Minister’s father, Thaksin Shinawatra, and the Minister of Interior, Anutin Charnvirakul.

Using the disclosed documents, researchers at Citizen Lab uncovered close links between the Cyber Team’s strategic plans and ’Big Sister Juk Khlong Sam’, codenamed JUICYJAM, an allegedly fake social media avatar notorious for doxxing, or revealing the personal information of pro-democracy activists with malicious intent.

Such actions were often accompanied by physical violence and judicial harassment. According to the researchers, the information used by Big Sister Juk Khlong Sam could only have come from government agencies, with the Royal Thai Police identified as the most likely source.

The Committee was chaired by Rangsiman Rome, an opposition People’s Party MP , who was recently the target of an abusive campaign for allegedly wearing a 562,000 baht Rolex Yacht-Master 42 watch, which turned out to be a 70,500 baht Seiko Prospex, a gift from his wife.

‘Wrong heading’

At the hearing, Chayaphon pressed security officials for an explanation regarding the information in the leaked documents, including the profiling of politicians and public figures as security threats or High Value Targets (HVT).

Maj Gen Winthai said the report was compiled from publicly available news sources including online media. However, the information had been categorized under incorect headings. Winthai stressed that the report was not classified, as it had been circulated to over 200 agencies and was also submitted to the Prime Minister.

Chayaphon questioned why Lt Gen Wanat Laksanasiri, Director of ISOC’s Intelligence Office, had signed off on an erroneous report and whether this amounted to a policy-level or operational-level failure, especially given that the report was ultimately meant for the Prime Minister’s review.

Winthai responded that, because the report was based on publicly available information, commanders may have overlooked certain details. He offered an apology on behalf of the Army and stated that the person responsible for mislabelling the report should face a reprimand or disciplinary action.

ISOC spokesperson Maj Gen Thammanoon Maison said that the annual assessment of the domestic situation, based on publicly available information, is conducted in accordance with Section 7 of the Internal Security Act as part of routine intelligence procedures.

He emphasized that the report is not part of any operational activity. The issue in question, he added, likely resulted from a staff error, with the wording intended to refer to a “political situation” rather than making any accusations.

No commissioning of influencers

Winthai said that the Army does work with influencers, either from within or outside the organization. He also presented slides featuring pages such as Rue History and Raksa Phaendin [Defending the Homeland], which many have long suspected of having military affiliations, as examples of platforms that help disseminate information.

Chutipong Phiphoppinyo, People's Party MP for Rayong Province and Secretary of the Committee, inquired whether the Rue History and Raksa Phaendin pages had been commissioned. The Army spokesperson clarified that his selection of these pages was based on personal appreciation of their content, and the pages were not official or commissioned.

Winthai explained that they simply maintain relations with influencers, whom he described as “fellow members of society” and “those who contribute to the country in different dimensions.” Maj Gen Winthai responded to Chutipong’s request for a list of influencers by saying he would take it as homework.

He also denied that the pulony.blogspot.com website—exposed in 2020 as part of an IO campaign targeting stakeholders in the southern border provinces—belonged to the Army. Apart from the official Army accounts and affiliated influencers, he said there were no other public relations accounts. Winthai added that there is currently a page using his own name, which he is not involved with at all.

Big Sister Juk Khlong Sam scrutinized

Piyarat Chongthep, People’s Party MP for Bangkok , followed up with a question about the social media account known as Big Sister Juk Khlong Sam. He asked whether the appearance of the account’s profile picture, Charlotte Linlin from One Piece, on an LED screen at Army Headquarters in 2021 was merely a coincidence.

At the time, Piyarat led WeVolunteer (WeVo), a volunteer group that provided frontline support and security for protesters, and was among those targeted by the Big Sister Juk Khlong Sam account. During the protests, the phones of Piyarat and several group members were also infected with the Pegasus spyware, and up to 66 members faced various legal charges, including royal defamation.

According to Citizen Lab, Big Sister Juk Khlong Sam “is an uncommon instance of a successful state-sponsored influence operation” with “almost 110,000 followers on its X account” and “a combined (non-unique) count of more than 133,000 followers on Facebook.” Furthermore, “the vast majority of that audience, and of the consequent engagement, appears to be authentic.”

Maj Gen Winthai responded that the appearance of the Big Sister Juk Khlong Sam account on the public messaging screen was the result of individual error and confirmed that there had been no official commissioning. Later in the hearing, he remarked that the language used by the account did not resemble that of a bureaucrat, but rather someone with a media background.

Pannika Wanich, spokesperson of the Progressive Movement Foundation and an advisor to the committee, cited a study by Citizen Lab highlighting the fact that Big Sister Juk Khlong Sam’s doxxing campaign involved personal information that could only have been accessed by government agencies.

This included data from the MOHPROMPT system, hospital medical records, vaccine information, national ID numbers, immigration records from the Immigration Bureau, and flight details. As an example, Pannika shared that her own personal information, including her national ID number and international travel history, had been exposed and circulated by right-wing figures such as Arnond Sakworawich and Suphanat Aphinyan.

The dissemination of personal information without consent, which Pannika claimed constituted a legal violation, is allegedly aligned with the intricate network of supporters cultivated by the security apparatus.

Pannika presented an image to the committee that depicted an extensive network of pro-government social media pages. The graphic suggested points of coordination with state security agencies, with text indicating that government bodies could contact these pages to request the sharing of specific content.

Slide of various social media accounts identified as part of the IO network, presented by Pannika during the meeting.

Maj Gen Winthai clarified what he described as an incorrect use of wording, stating that the Army did not directly instruct the pages to post content, but rather distributed information broadly to anyone willing to assist, calling it “mind-to-mind communication.”

He added that if any action is found to be illegal, the Army is willing to cooperate and take responsibility.

Pol Lt Gen Achayon Kraithong, spokesperson for the Royal Thai Police, said at the hearing that if any actions are found to be illegal, appropriate measures will be taken. He added that the police are actively pursuing cases involving fake news and defamation.

Source of content

Chayaphon followed up by pressing the issue of photos taken from police and military lines during various protest events that later appeared on the Big Sister Juk Khlong Sam page. He questioned the nature of the relationship between this page and state officials.

Maj Gen Winthai reiterated that the page was not part of any official state mechanism, and that leaked information had always been widespread in society.

“State information stamped as secret, Mr Chayaphon still has it,” said Winthai. “I’m still thinking that with regard to the information, if we look into a normal society, ordinary family lives, even information from inside homes still leaks out. I don’t want those things that happen to be connected.”

Pol Lt Gen Achayon said that the use of inauthentic avatars still needs to be investigated to uncover the real individuals behind them. He denied any knowledge of a police-related image appearing on the Big Sister Juk Khlong Sam’s page and said he was open to looking into the matter.

Puangthong Pawakapan, an advisor to the parliamentary committee and an academic who was also targeted by IOs for her work on the military’s infiltration into Thai society, built on Pannika's concerns to inquire about the ISOC Data Centre and its information gathering practices, which had been in development since the Prayut administration.

Citing official documents, Puangthong noted that the Data Centre collects a wide range of sensitive information including records of travel in and out of the country, vehicle registrations, and civil registration records. She questioned the rationale behind the accumulation of such data, raising concerns about potential data breaches and the lack of clarity on how and where this data might be stored or leaked.

Puangthong said public distrust stems from systematic IO attacks targeting anyone who challenges the military or government. While debate is healthy in a democracy, these operations often cross the line into personal harassment, a practice she warns harms both society and democratic progress. As long as security agencies cling to outdated views, she said, such tactics will likely continue.

Maj Gen Thammanoon Maison of ISOC clarified that the Data Centre collects information relevant to ISOC’s operations, including national security, illegal border crossings, deforestation, and terrorism. ISOC has also been focusing efforts on financial activity data to combat call centre scams. Additionally, there is special security data related to the three southern border provinces. However, the Centre does not store such personal information.

Rangsiman questioned what tools the security agencies were using, noting reports of attempts to gain access to people's passwords. In response, Winthai stated that no additional electronic surveillance tools were being used, and if there were, they would appear in procurement records. As for listening in to information in society (social listening), he said it simply involved tracking keywords.

Role of a retired general

People’s Party MP Romadon Panjor said that social media pages such as Deep South Provinces and Big Sister Juk Khlong Sam accused both him and the People’s Party of being affiliated with the Barisan Revolusi Nasional (BRN) and that such accusations are detrimental to the legislative branch.

Romadon followed up by asking whether the Cyber Team led by Gen Thammanoon Withee was still active, and which budget it was operating under, noting that such matters require scrutiny—especially with the national budget bill coming up for deliberation.

According to leaked documents, the Cyber Team led by Gen Thammanoon was a creation of the Joint Operations Command, a collaborative structure involving civilians, police, and military personnel, where he served as Deputy Director.

The establishment of the Cyber Team appeared to have been carried out in secrecy, under a directive from the Royal Thai Army’s Special Security Working Group. The directive also instructed other security agencies within the Joint Operations Command to form their own special security working groups, build networks of influencers and carry out operations, and assigned ISOC to profile public figures and monitor civil society activities across the provinces.

Rangsiman Rome asked whether the directive had been carried out under the supervision of the Ministry of Defence, and if not, whether there was an ongoing investigation into its arbitrary actions. However, the question appeared to go unanswered.

Although Gen Thammanoon has passed retirement age, the Royal Gazette in October 2023 announced his appointment to military positions as a royal servant under the Royal Office. This raises questions about his current role in the chain of command, particularly in relation to the Cyber Team, the Joint Operations Command, and his broader involvement in military affairs.

Winthai said that the leaked documents were from 2021 when Gen Thammanoon was still a commander of the Cyber Team. However, he has now retired and his position has been filled by the Deputy Commander-in-Chief of the Royal Thai Army.

Chayaphon raised questions over Gen Thammanoon’s continued involvement after he was recently seen inspecting military training. According to an Army public relations page, he was still referred to as the Deputy Director of the Joint Operations Command as recently as February 2025, when he presided over a military drill in Lopburi.

Maj Gen Winthai clarified that the Joint Operations Command includes a royal unit where personnel often continue serving beyond the official retirement age. He said its primary duties are to provide security during royal visits, assist those paying their respects, and manage public traffic along designated routes. Beyond these roles, he emphasized, the Command has no other responsibilities.

Nonpartisan issue

Pheu Thai Party MP Sutham Saengprathum commented that the propaganda operation leading up to the October 6 massacre distorted a student play at Thammasat University by portraying it as mocking the Crown Prince. He likened such propaganda to releasing a virus—one that incites violence, as seen when unarmed people were burned alive.

Sutham went on to say that similar behaviour still persists today; even he had once been falsely listed in a so-called “anti-monarchy network,” despite never holding such views. He stressed that this kind of manipulation has caused significant damage and lost opportunities for the country, and that any misunderstandings must be corrected.

Rangsiman said on the day after the hearing that the committee will send letters to various agencies requesting further clarification and will forward the matter to the Ombudsman’s Office and the National Anti-Corruption Commission (NACC) for further investigation.

The committee also noted that if this was indeed a document error, as the officials admitted, those responsible should be penalized. It further called on ISOC to demonstrate sincerity by identifying those accountable.

Minister of Interior Anutin Charnvirakul who was also on ISOC’s watch list, posted on Facebook on 2 May asking everyone to “please not issue information or write reports that are slipshod which say that I exploit the monarchy for political gain. … Such allegations are baseless and untrue. Please correct the information. We are all subjects of the King.”

In response, Winthai confirmed on 3 May that the document does not accuse Anutin of sycophancy at all. And in fact, he had been portrayed positively in relation to the monarchy, and that the leaked document had been misinterpreted, which led to misunderstandings about the organizations and individuals involved.

Accountability challenges

IOs have been exposed multiple times during censure debates. However, little progress has been made in addressing impunity.

The Citizen Lab’s report called on platforms, including X and Facebook, to address loopholes in combating doxxing. This includes establishing a hotline, identifying and removing doxxing networks, and protecting civil society from doxxing, especially in vulnerable countries. However, the call has yet to be answered.

Asst Prof Thitirat Thipsamritkul of the Faculty of Law at Thammasat University told BBC Thai several days before the committee hearing that doxxing, as in the case of Big Sister Juk Khlong Sam, would instil fear among activists and lead to a chilling effect, causing dissidents to censor themselves. But holding the perpetrators accountable remains a challenge because the burden of proof falls on the complainant.

"Civil society has tried to raise complaints and questions about this thing in the past, whether through parliamentary committees or by trying to sue organizations which leave some clues that they are of the ones carrying out these operations. But the state will respond by brushing it off and the easiest thing is to say 'there is no evidence that the state did it.' This stalls any further progress, as seen in the case of the Pegasus spyware," said Thitirat.

Constitutional court judge hopeful rejected

Another implication following the hearing concerns Prof Dr Chaiyan Chaiyaporn of the Faculty of Political Science at Chulalongkorn University, who was accused by exiled historian Somsak Jeamteerasakul of being part of the military’s IO network.

Somsak posted on Facebook the same image that Pannika presented during the committee hearing, identifying Chaiyan’s entry, along with others, as an academic supporting the military’s IO efforts. According to Somsak’s interpretation of the symbols and abbreviations in the image, content distribution by Chaiyan could be coordinated directly through the Royal Thai Army, which he identifies as Chaiyan’s point of contact.

On 6 May, Chaiyan filed a complaint with the Technology Crime Suppression Division, seeking to prosecute Somsak for defamation and violation of the Computer Crime Act.

“This accusation damages my image as an academic. I have always encouraged my students and young people to think for themselves, to use their own reasoning, and to be brave enough to work things out by themselves without fearing any authority or influence,” said Chaiyan.

“However, expanding or sharing one’s thoughts must be within the framework of the law. I wish to affirm that my Facebook account is not an IO account of the military. If anyone has doubts about any particular issue or thinks that any post was not by me, I welcome questions.”

Recently, Chaiyan applied to be a constitutional court judge, but was rejected after presenting his vision and responding to questions from the selection committee on 8 May. Pol Lt Col Sutham Cheurprakobkit, a professor in public administration at the Faculty of Social Sciences and Humanities, Mahidol University, was selected instead.